Intro
本篇介紹一個枚舉工具–gobuster,並詳細介紹它如何使用以及使用場景。
主要介紹dir(網站路徑枚舉)、dns(DNS子域名枚舉)、vhost(虛擬主機枚舉),而其餘的使用大多都有別的工具能夠代替因此就不介紹。
gobuster有多種模式分別對應多個枚舉任務,如網站路徑、DNS子域名等等,如果要查詢各個模式下能使用的參數可以使用gobuster [COMMAND] --help來查詢。下面是它的全部參數使用:
└─$ gobuster --help
Usage:
gobuster [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode. Replaces the keyword FUZZ in the URL, Headers and the request body
gcs Uses gcs bucket enumeration mode
help Help about any command
s3 Uses aws bucket enumeration mode
tftp Uses TFTP enumeration mode
version shows the current version
vhost Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)
Flags:
--debug Enable debug output
--delay duration Time each thread waits between requests (e.g. 1500ms)
-h, --help help for gobuster
--no-color Disable color output
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist. Set to - to use STDIN.
--wordlist-offset int Resume from a given position in the wordlist (defaults to 0)
Use "gobuster [command] --help" for more information about a command.
gobuster dir
└─$ gobuster dir --help
Uses directory/file enumeration mode
Usage:
gobuster dir [flags]
Flags:
-f, --add-slash Append / to each request
--client-cert-p12 string a p12 file to use for options TLS client certificates
--client-cert-p12-password string the password to the p12 file
--client-cert-pem string public key in PEM format for optional TLS client certificates
--client-cert-pem-key string private key in PEM format for optional TLS client certificates (this key needs to have no password)
-c, --cookies string Cookies to use for the requests
-d, --discover-backup Also search for backup files by appending multiple backup extensions
--exclude-length string exclude the following content lengths (completely ignores the status). You can separate multiple lengths by comma and it also supports ranges like 203-206
-e, --expanded Expanded mode, print full URLs
-x, --extensions string File extension(s) to search for
-X, --extensions-file string Read file extension(s) to search from the file
-r, --follow-redirect Follow redirects
-H, --headers stringArray Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
-h, --help help for dir
--hide-length Hide the length of the body in the output
-m, --method string Use the following HTTP method (default "GET")
--no-canonicalize-headers Do not canonicalize HTTP header names. If set header names are sent as is.
-n, --no-status Don't print status codes
-k, --no-tls-validation Skip TLS certificate verification
-P, --password string Password for Basic Auth
--proxy string Proxy to use for requests [http(s)://host:port] or [socks5://host:port]
--random-agent Use a random User-Agent string
--retry Should retry on request timeout
--retry-attempts int Times to retry on request timeout (default 3)
-s, --status-codes string Positive status codes (will be overwritten with status-codes-blacklist if set). Can also handle ranges like 200,300-400,404.
-b, --status-codes-blacklist string Negative status codes (will override status-codes if set). Can also handle ranges like 200,300-400,404. (default "404")
--timeout duration HTTP Timeout (default 10s)
-u, --url string The target URL
-a, --useragent string Set the User-Agent string (default "gobuster/3.6")
-U, --username string Username for Basic Auth
Global Flags:
--debug Enable debug output
--delay duration Time each thread waits between requests (e.g. 1500ms)
--no-color Disable color output
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist. Set to - to use STDIN.
--wordlist-offset int Resume from a given position in the wordlist (defaults to 0)
gobuster dir [flags]是使用模板,下面介紹幾個常用的參數選項:
-u(必選):要枚舉的IP/網站名稱-w(必選):枚舉要用的字典檔-t:開的多線程,默認是10,推薦用20~50即可-x:會多搜尋指定的檔案類型(默認不會)-m:指定請求類型(默認GET)-c:使用COOKIES
常見用法/例子:
gobuster dir -u "http://www.example.thm" -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt -t 50 #基本路徑枚舉並開50個多線程
gobuster dir -u "http://www.example.thm" -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt -t 50 -x .js,.php #同樣搜尋.js/.php的文件(文件名從字典檔裡枚舉)
gobuster dns
└─$ gobuster dns --help
Uses DNS subdomain enumeration mode
Usage:
gobuster dns [flags]
Flags:
-d, --domain string The target domain
-h, --help help for dns
--no-fqdn Do not automatically add a trailing dot to the domain, so the resolver uses the DNS search domain
-r, --resolver string Use custom DNS server (format server.com or server.com:port)
-c, --show-cname Show CNAME records (cannot be used with '-i' option)
-i, --show-ips Show IP addresses
--timeout duration DNS resolver timeout (default 1s)
--wildcard Force continued operation when wildcard found
Global Flags:
--debug Enable debug output
--delay duration Time each thread waits between requests (e.g. 1500ms)
--no-color Disable color output
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist. Set to - to use STDIN.
--wordlist-offset int Resume from a given position in the wordlist (defaults to 0)
枚舉DNS子域名,例如已知有example.com這個域名,那麼便對其做子域名枚舉,同樣需要提供字典檔。
gobuster dns [flags]是使用模板,下面介紹幾個常用的參數選項:
-d(必選):要枚舉的域名-w(必選):枚舉要用的字典檔-r:指定要用哪一個DNS伺服器做DNS解析-c:結果中只包含CNAME-i:結果中只包含解析後的子域名對應的IP
常見用法/例子:
gobuster dns -d example.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt #基本子域名枚舉,Seclist需要額外下載(apt install seclists)
gobuster vhost
└─$ gobuster vhost --help
Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)
Usage:
gobuster vhost [flags]
Flags:
--append-domain Append main domain from URL to words from wordlist. Otherwise the fully qualified domains need to be specified in the wordlist.
--client-cert-p12 string a p12 file to use for options TLS client certificates
--client-cert-p12-password string the password to the p12 file
--client-cert-pem string public key in PEM format for optional TLS client certificates
--client-cert-pem-key string private key in PEM format for optional TLS client certificates (this key needs to have no password)
-c, --cookies string Cookies to use for the requests
--domain string the domain to append when using an IP address as URL. If left empty and you specify a domain based URL the hostname from the URL is extracted
--exclude-length string exclude the following content lengths (completely ignores the status). You can separate multiple lengths by comma and it also supports ranges like 203-206
-r, --follow-redirect Follow redirects
-H, --headers stringArray Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
-h, --help help for vhost
-m, --method string Use the following HTTP method (default "GET")
--no-canonicalize-headers Do not canonicalize HTTP header names. If set header names are sent as is.
-k, --no-tls-validation Skip TLS certificate verification
-P, --password string Password for Basic Auth
--proxy string Proxy to use for requests [http(s)://host:port] or [socks5://host:port]
--random-agent Use a random User-Agent string
--retry Should retry on request timeout
--retry-attempts int Times to retry on request timeout (default 3)
--timeout duration HTTP Timeout (default 10s)
-u, --url string The target URL
-a, --useragent string Set the User-Agent string (default "gobuster/3.6")
-U, --username string Username for Basic Auth
Global Flags:
--debug Enable debug output
--delay duration Time each thread waits between requests (e.g. 1500ms)
--no-color Disable color output
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist. Set to - to use STDIN.
--wordlist-offset int Resume from a given position in the wordlist (defaults to 0)
虛擬主機是一種伺服器的配置技術,能夠讓不同網站架設在同一台服務器上,通過使用不同HTTP header來區分要訪問哪個網站。
GET / HTTP/1.1
Host: www.example.thm # 可以換成其他的例如blog.example.com
User-Agent: gobuster/3.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
gobuster vhost [flags]是使用模板,下面介紹幾個常用的參數選項:
-u(必選):要枚舉的網址-w(必選):枚舉要用的字典檔--domain:域名--append-domain:把域名加到要枚舉的每個字後面(默認是前面)--exclude-length:排除指定長度的結果
常見用法/例子:
gobuster vhost -u http://10.10.10.10 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt #就會枚舉類似secret.10.10.10.10, blog.10.10.10.10
小結
gobuster算是簡單實用的工具,在很多場景下都會使用,大家如果還沒學會的可以一起學習一下。
謝謝各位看到這邊,如有任何疑問或文章有任何錯漏,歡迎來信與我討論,謝謝!